This isn't strictly true, because there are on-path non-cache-
poisoning attacks to DNS that are not MitM attacks but that let me
reliably MitM your HTTP connections. And these attacks are easily
prevented with DNSSEC, and completely unpreventable with, e.g., port
randomization.